so many personal records were stolen in 2018Data breaches are just another part of life these days, something we expect to encounter, like annoying robocalls or the junk mail that piles up inside our virtual and real life mailboxes. Unfortunately, as with anything that becomes a part of everyday life, it’s easy to grow complacent to the dangers presented by hackers and the data breaches they perpetuate — which is a huge mistake, considering that cybercriminals are advancing and evolving all the time. This is evident in recently published data from one of the leading identity theft organizations. The Identity Theft Resource Center (ITRC) just published the results of its annual End-of-Year Data Breach Report, and the results might be surprising to those who are used to seeing a fairly steady increase in data breaches every year.

In fact, data breaches themselves are down by 23% from 2017 — but that doesn’t mean you should be pulling out the party hats and champagne just yet. Though breaches are down, the number of records containing sensitive personal information exposed in breaches jumped a staggering 126% from the year prior, to the tune of 447 million consumer records exposed in 2018. That’s nearly half a billion personal records, and it’s a very big deal. We’ll be diving into the details of this report to help explain what it means for the average person and what you can do with this knowledge to better protect yourself.

What kind of breaches were recorded in 2018?

A glance at the infographic put together by the ITRC shows the seesaw effect of the numbers recorded between 2017 and 2018. Data breaches themselves are down across almost every industry, but the number of records accessed during the attacks massively increased. As far as instances of breaches go, the business sector was hit hardest in 2018 with 571 breaches, followed by healthcare/medical with 363 incidents, banking/financial/credit with 135 incidents, government/military with 99 incidents and education with 76 incidents — all adding up to a total of 1,244 reported breaches in 2018. That’s definitely down from 2017’s total reported 1,632 incidents, however, the total number of records exposed in 2017 was nearly 198 million, while that number skyrocketed in 2018 to nearly 447 million records exposed. Keep in mind, the numbers above only reflect sensitive personal information accessed (e.g., social security numbers, credit card numbers, birth dates) — a further 1.6 billion non-sensitive records were also exposed in 2018 (e.g., email address, usernames and passwords).

Important lessons to learn from this data

Criminals get smarter every day

No matter how you look at these numbers, it’s clear that there’s a significant problem and no matter how much progress has been made by companies, the cybercriminals are keeping pace. As cybersecurity expert Adam Levin of CyberScout, which sponsored the study, explained to NBC News, cybercriminals are continuing to improve at what they do, which the ITRC’s numbers clearly show. And as more and more data is centralized, it’s easy for a single breach to bequeath many more pieces of information than might have been obtained from several intrusions in the past. This was demonstrated last October by a Facebook hack that gave the perpetrators access to upwards of 50 million user accounts, with potential access to even more user accounts thanks to “access tokens” that kept the accounts logged in. Attacks are increasingly focusing on the human element, using calculated phishing emails and sophisticated social engineering to trick people into making the kinds of mistakes computers might not. Both businesses and individuals are targets for these attacks, making data breaches a universal problem that reaches across industries.

It’s not only sensitive information you have to worry about

As noted earlier, even more non-sensitive records were recorded as exposed in 2018 than sensitive records. This is a much bigger deal than many companies who are breached would like you to think. Cybercriminals can use this information to link your online accounts together, since people are often in the habit of reusing credentials for their many online accounts. One cracked account can be all it takes to infiltrate a person’s entire online kingdom — you might not think it’s a big deal to use the same credentials for accounts you see as unimportant, but a smart cybercriminal can use information gleaned from one account to access others (or manipulate you in social engineering attacks). All kinds of identity theft can be committed using stolen records, from medical identity theft which can take years to track down to old-fashioned fraudulent credit card sprees. Thus, it’s important to pay attention to the details of what information was accessed whenever a breach is announced so you can understand the full spectrum of possible exposure you are facing.

Companies need to do a better job at transparency

It’s no secret that a data breach can be devastating for a company — from the PR nightmare and loss of consumer trust to the huge amount of money that must be spent in the aftermath on beefing up security, investigating what went wrong and providing restitution for victims, the last thing any major or minor company wants is a data breach on its hands. Even a data leak, which carries less of an impact but is still no less problematic, can seriously harm a business. So it’s natural that many might want to downplay an incident so consumers don’t get up in arms, but doing so can put consumers at risk because they don’t know what information of theirs might have been exposed — and, thus, aren’t able to take proper precautionary or reactionary measures to protect themselves. Transparency when it comes to privacy online is paramount, especially in an era where it can be generally assumed that every U.S. adult and millions of children have been exposed by at least one data breach, and we are increasingly providing more and more data to entities of all kinds.

The good news is, there are plenty of measures you can take to protect yourself, from utilizing a password manager to freezing your credit reports. You can learn all about them and keep up on the latest in cybersecurity news by following our blog.